I always say in my classes that we are never going to have systems that are 100 percent secure, but we can make them reasonably secure.

Massimiliano Albanese

Massimiliano (Max) Albanese, a Mason Engineering cybersecurity professor and researcher, teaches students to think critically so they can tackle future cyber threats.

Cybersecurity students who want to protect the world from malicious attacks, like the recent security breaches against Equifax and Yahoo, need to become digital detectives who can think outside the box.

They have to be dynamic, responsive to change, and able to adapt to new strategies, says Massimiliano (Max) Albanese, a Mason Engineering cybersecurity professor and researcher.

He has spent years studying the minds and methods of cyber criminals to develop better ways to defend computer systems, and he shares his insights with graduate students in his cybersecurity classes.

“I always say in my classes that we are never going to have systems that are 100 percent secure, but we can make them reasonably secure,” says Albanese, an associate professor in the Department of Information Sciences and Technology (IST).

Defending a complex system is difficult. Attackers normally only need one vulnerable entry point, and once they’re able to find that point, that’s the end of the game. However, defenders need to protect the system from all possible attacks, he says.

Achieving security is a race between defenders and attackers, Albanese says. “You develop new defenses, and the attackers will come out with ways of defeating those defenses. So the question ultimately is: Who is going to be in a better position—the defender or the attacker?”

Albanese, who teaches graduate courses for the cybersecurity concentration in IST’s Applied Information Technology MS program, is on the cutting edge when it comes to teaching and researching cybersecurity.

Mason recently ranked eighth among 20 institutions for its multidisciplinary work in the area of cybersecurity, according to CyberDegrees.org, a Washington, D.C.-based publisher of informational websites on higher education. It’s the only university in Virginia to make the list.

As associate director of the Center for Secure Information Systems, Albanese is working with other researchers to develop adaptive defenses against cyberattacks as part of a five-year, $6.25 million grant from the Department of Defense.

They are studying how to use moving target defenses to create uncertainty for attackers. The goal is to make sure the attacker never has enough information­­—or enough confidence in the information he has––to run an attack, Albanese says.

There are many different techniques for moving target defense, and no one strategy is a silver bullet, he says. “In the best possible case, we need to combine multiple techniques to provide a good solution.”

One simple example of a moving target defense strategy would be changing your email address every week to avoid spam. The problem is legitimate users would be impacted as well, he says.

Every time you introduce a new defense mechanism that changes some aspect of the system, it makes it harder for the attacker to do his job, but it also makes it harder on the system’s legitimate users.

The goal of his research is to turn the tables in favor of the defender by increasing the complexity and cost for the attacker, he says.

His work is making a difference. “As a member of the Center for Secure Information Systems and a professor in the IST Department, Dr. Albanese is paving the way in both research and teaching in advanced cybersecurity,” says Andre Manitius, the chair of IST.

Albanese emphasizes to his graduate students that the cyberattacks they are facing today won’t be the same ones they will be facing in a few years.

Students will have to think critically to address tomorrow’s threats, he says. “There’s a lot to learn, and what I stress to my students is that, most importantly, they have to learn how to reason through the problems to find a solution.”

Dr. Albanese is paving the way in both research and teaching in advanced cybersecurity.